FTC Petitioned on Data Profiling

Mephistopholies sent /. a link to an AP article about this Washington hearing, but I prefer the more complete NY Times story about it. The Federal Trade Commission is being asked to examine web profiling and tracking technology as used by the likes of Doubleclick to track users across multiple sites. The article also notes that it is likely some sort of bill to facilitate taking away individuals' domain names (you may have heard this spun as an "anti-cybersquatting" bill) will pass this year.

A side note: slashdot readers who like YRO stories should realize that we will posting an increasing number of them in the YRO section only - they won't ever appear on the main page of slashdot.org, but will be accessible via the Sections link on the left side of the page, and there's a YRO slashbox now, too, so you can see the headlines for YRO on the home page if you so desire (and are minimally competent at setting your user preferences).

Re:Snurk.

[A+Big+Gnu+Thrush]

I wonder if, like the meat industry, we aren't really motivated by short term profit at any cost? Our privacy, our dignity as humans, anything for money.

There is, of course, nothing wrong with a profit motive, but I think this last statement is a bit cynical.

Most libertarian netizens have valid fears of government regulation. The Internet has done just fine without Congress passing any laws. The government often functions as a third party with interests and agendas separate from either the consumer or provider. Government regulation isn't always rational laws from a disinterested party, sometimes it is motiviated by greed and profit.

In addition, with men like Al Gore still holding elected office, many people doubt that governments can understand the basic issues (technical and otherwise) required for passing reasonable laws.

To use your analogy, the Internet is not meat packing, if it were, Bill Clinton would have all the answers. Still, innocent users are being misled. Some kind of protection is needed and the private sector is doing a miserable job of filling that role.

Marketting info.

[ucblockhead]

I recently worked for a large retailer who also did a lot of catalog business, and they did (and certainly still do) quite a bit to collect info on their customers. I just figured I'd throw out some of the whys so that people could see it from their point of view. This isn't about anything online, but I'm sure that the same rules apply.

They send out a huge number of catalogs every year, and those catalogs cost them a fair amount to produce. At least $1 a pop. So obviously it is in their best interest to only send catalogs to those who actually want them. And in a very real sense, if they were able to do this perfectly, it would be good for the consumer as well. No one would be bothered with junk mail they didn't want. In theory, it would be a win-win situation.

But to go about this requires collecting a lot of data, some of it that would bother a privacy expert, and likely even a normal customer. For example, they want to track whether or not you go to the store after receiving a catalog. This tells them that, even though you didn't order through the catalog, it still brought you to the store and therefore wasn't a wasted mailing. Of course, to do this, they have to somehow get your address when you buy from the store.

I was in the unfortunate position of doing some of the programming at the front end, and it bothered me because we quite literally were doing things behind our customer's backs. For instance, store personel would ask for a customer's zip-code "for marketting purposes". Now, I'm sure nearly everyone thinks this is for some sort of demographic info. It is not. Instead, they take the zip code, and your name, and use the combination to figure out your entire address. In other words, they say, "Aha, this credit card number belongs to the John Smith at zipcode 12345. Since there is only one, this means that he's the one that lives at 555, mockingbird lane. let's send him a catalog".

We used check readers for similar purposes. Customers assume that their checks are being authorized. They are not. Instead, the bank account number is captured, and then sent to a nice little service that returns a name and address when given a bank account number.

But again, this is all just to figure out who to send catalogs to. Which creates an interesting situation. The company ends up with all this data on you, your name, credit card number, bank account. Data that I'm sure makes everyone here a little (or a lot) queasy to see in someone's hands. Yet it isn't captured for any real nefarious purpose. It is, at least in theory, captured to help you, at least from the company's point of view.

This is why companies can act so schizophrenic about privacy. They truly do what they do to help "serve you better". Unfortunately, the end result is not necessarily in your best interest.

I completely understand the whole situation at "Real". I'm sure that the people who invaded the privacy of all of their users truly believed that they were doing what they were doing to help serve their customers better. That is what makes the corporate invasion of privacy so insidious. The people who do it don't think they are doing anything to hurt anyone. And they really aren't, in their own little world. But the net effect of a thousand companies "better serving" their customers is a complete and utter destruction of any notion of privacy.

IPChains blocking

[Mark+F.+Komarinski]

This got me thinking about just blocking anything from doubleclick. Here's my ipchains-save:

-A output -s 0.0.0.0/0.0.0.0 -d 208.211.225.89/255.255.255.255 -j REJECT
-A output -s 0.0.0.0/0.0.0.0 -d 199.95.207.0/255.255.255.0 -j REJECT
-A output -s 0.0.0.0/0.0.0.0 -d 199.95.208.0/255.255.255.0 -j REJECT
-A output -s 0.0.0.0/0.0.0.0 -d 204.253.104.80/255.255.255.255 -j REJECT


Use 'em, abuse 'em, let me know if there's more IPs.

ipchains-restore (file with above text)